Information Security: Employee Errors Put Data at Risk

Government data security breaches include e-mail, Web site attachments.

If you work in IT, recent goings-on in the security realm could be enough to make you throw your arms up in despair and kiss the safety of your data goodbye. Reports make it seem downright hopeless.

The 2008 Data Breach Investigations Report released by the Verizon Business Risk Team compiled data from more than 500 forensics cases the team handled from 2004 to 2007, comprising more than 230 million breached records. Although some of the breaches were attributed to malicious activity, human error contributed to 62 percent of the cases.

And things don't look much better in government. News-savvy professionals may have kicked off the year by reading sobering figures released by the Identity Theft Resource Center (ITRC), a nonprofit that educates organizations on fraud and identity theft mitigation. In 2008, more than 2 million government and military records were accidentally compromised, and 638,000 were compromised while data housed on laptops and other mobile equipment. That's nearly 2.7 million total breached records.

Misadventures in Data Handling

Although IT managers may not immediately think of accidental breaches when data security comes to mind, these types of errors have often popped up in the public sector recently.

Case in point: On Dec. 18, 2008, the Concord Monitor reported that the names, addresses and Social Security numbers of more than 9,000 citizens enrolled in Medicare Part D were included in an e-mail attachment that New Hampshire's Department of Health and Human Services sent to health-care providers. And why? Someone goofed, according to the newspaper.

"We have a process in New Hampshire where staff periodically send out informational updates to our health and human service providers with regards to any changes or information pertinent to the Medicare Part D program," said Nancy Rollins, associate commissioner of the department.

On Dec. 1, 2008, the department e-mailed 61 service providers informing them that New Hampshire would be offering fewer plans in the 2009 program. But the message's Microsoft Excel attachment contained quite a bit more.

"Part of the workbook also contained information regarding low-income subsidy individuals who are on Medicare Part D," Rollins said. The private information belonged to more than 9,000 individuals, about half of New Hampshire's 18,000 program enrollees at the time.

"The data, however, wasn't easily discerned unless you actually went into the workbook and clicked on a couple of other tabs, and then you had to scroll from right to left, so you had to really dig for this," Rollins said.

On Dec. 4, one of the providers, Granite State Independent Living, called to notify the state that it had received the extra data. Health and Human Services went to work on the issue.

"We immediately contacted all of our original folks that we had sent the e-mail to, asked them to delete the e-mail and attest to the fact that they had indeed deleted the e-mail," Rollins said.

Some of the service providers forwarded the e-mail to other recipients however. In the end, Rollins recalled, about 481 recipients received more information than they were supposed to.

Health and Human Services also asked providers to follow up with the agencies to whom they forwarded the information and ask them to delete it, and the department also requested written confirmation that the e-mail was deleted. In addition, the department created a three-person team to review information-handling procedures.

New Hampshire's breach, as embarrassing as it was, isn't an anomaly in government. Breaches have been in the news -- either due to mistakes by personnel or while data was in transit.

By day, Hilton Collins is a staff writer for Government Technology and Emergency Management magazines who covers sustainability, cybersecurity and disaster management issues. By night, he’s a sci-fi/fantasy fanatic, and if he had to choose between comic books, movies, TV shows and novels, he’d have a brain aneurysm. He can be reached at hcollins@govtech.com and on @hiltoncollins on Twitter.